IOS IPv4 ACCESS LISTS 


Standard ACL Syntax 


[ Legacy syntax | permit 
access-list <number> {permit | deny} <source> [log] | deny 
| 
! Modern syntax remark 
ip access-list standard {<number> | <name>} | 
evaluate 


[<sequence>] {permit | deny} <source> [log] 


Extended ACL Syntax 


packetlife.net 


Actions 
Allow matched packets 
Deny matched packets 
Record a configuration comment 


Evaluate a reflexive ACL 


fı Legacy syntax 


access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] 


! Modern syntax 
E access-list extended {<number> | <name>} 


[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] 


ACL Numbers Source/ Destination Definitions 
1-99 any Any address 
1300-1999 IP standard 


host <address> A single address 


100-199 IP extended 

2000-2699 `" EXtenae <network> <mask> Any address matched by the wildcard mask 
200-299 Protocol IP Options 
300-399 DECnet dscp <DSCP> Match the specified IP DSCP 


400-499 XNS 
500-599 Extended XNS 


fragments Check non-initial fragments 


option <option> Match the specified IP option 


600-699 Appletalk precedence {0-7} Match the specified IP precedence 


700-799 Ethernet MAC 
800-899 IPX standard 


ttl <count> Match the specified IP time to live (TTL) 


TCP/UDP Port Definitions 


900-999 IPX extended 
1000-1099 IPX SAP 
1100-1199 MAC extended 


eq <port> Equal to 


lt <port> Less than 


neq <port> Not equal to 
gt <port> Greater than 


range <port> <port> Matches a range of port numbers 


1200-1299 IPX summary 


Miscellaneous Options 


TCP Options 


reflect <name> Create a reflexive ACL entry 


ack Match ACK flag 


time-range <name> Enable rule only during the given time range 


fin Match FIN flag 


psh Match PSH flag Applying ACLs to Restrict Traffic 


rst Match RST flag interface FastEthernet0/0 
syn Match SYN flag 


ip access-group {<number> | <name>} {in | out} 


urg Match URG flag Troubleshooting 


Satie euss established session 


Match packets in an show access-lists [<number> | <name>] 


show ip access-lists [<number> | <name>] 


Logging Options 
log Log ACL entry matches 


Log matches including 
log-input ingress interface and 
source MAC address show time-range [<name>] 


show ip access-lists dynamic 


show ip access-lists interface <interface> 


show ip interface [<interface>] 


